HardenedLinux

We are "patient" zero, so we hardened ourselves!

May 11, 2015 - 4 minute read - Research

PaX/Grsecurity for Nexus 7 2013

Update( May 28 2015)

The porting work of the PaX patch already done. We tested it with Towel & KINGROOT. The result as expected: they all failed to root the Android 5.0.2 with kernel code base from 2014. Perhaps, we might try to make GRSEC & RBAC into the Android in the future………

KINGROOT1 KINGROOT2 KINGROOT3 TOWELROOT

armv7-nexus7-grsec

PaX/Grsecurity patch for Nexus7, which the original version is 3.4 kernel based with a bunch of backport features and fixes. In some particular cases, TrustZone is useless if the Android kernel were compromised. I don't think we need another rootkit-friendly solution like SELinux always does. Get rid of one entire class of vulns in kernel would be an inevitable ways to make your device secure.

Credit for PaX/Grsecurity

PaX/Grsecurity is the most respected 0ld sch00l community and they have been creating the best defense-in-depth kernel hardening solution for 14 years. What PaX/Grsecurity brings to us, is amazing and incridble work. Unfortunately, there are a lot of reasons that PaX/Grsecurity don't get the credit what they deserves. Let me make this short: To love those who are hatred by BIG BROTHER. That's the fuc*ing point.

What makes us ticks

The age of IoT( Internet of things) is coming soon…There will be huge numbers of devices running with diverse communication protocols. For the simply classify, I'll only treat these devices as two types: One with TCP/IP stack, or not. The one with TCP/IP stack might have high probablity run with GNU/Linux. The one without TCP/IP stack may be just a simple MCU stuff. The heterougenous network need to be protected in various ways. These devices may be running on our cars, refrigrator, or everywhere around us, which could be a risk to our money-shitty property and even lives. That’s one of most important reasons we need to "H A R D E N E N I N G E V E R Y T H I N G" by free software.

PaX/Grsecurity

NAME DESCRIPTION AUTHORS
PAGEEXEC paging based non-executable pages The PaX team, Mar 15 2003
SEGMEXEC segmentation based non-executable pages The PaX team, May 1 2003
ASLR address space layout randomization The PaX team, Mar 15 2003
MPROTECT mmap() and mprotect() restrictions The PaX team, Nov 4 2003
RANDUSTACK userland stack randomization The PaX team, Feb 12 2003
RANDKSTACK kernel stack randomization The PaX team, Jan 24 2003
RANDMMAP mmap() randomization The PaX team, Jan 24 2003
RANDEXEC non-relocatable executable file randomization The PaX team, Feb 19 2003
VMMIRROR vma mirroring, the core of SEGMEXEC and RANDEXEC The PaX team, Oct 6 2003
EMUTRAMP gcc nested function and kernel sigreturn trampolines emulation The PaX team, May 1 2003
EMUSIGRT automatic kernel sigreturn trampoline emulation The PaX team, Feb 19 2003
UDEREF Prevent improper userland code/date access by the kernel The PaX team, May 15 2007

UDEREF/amd64

PaX/Grsecurity writings

intro | Dec 30 2010

Assorted Notes on Defense and Exploitation | Dec 31 2010

False Boundaries and Arbitrary Code Execution | Jan 2 2011

The Dangers of Copy and Paste | Feb 1 2011

The Unseen Benefits of a Security Mindset | Mar 12 2011

Much Ado About Nothing: A Response in Text and Code | Apr 16 2011

Recent Advances: How We Learn From Exploits | Feb 15 2012

Supervisor Mode Access Prevention | Sep 7 2012

Inside the Size Overflow Plugin | Aug 28 2012

Recent ARM Security Improvements | Feb 18 2013

KASLR: An Exercise in Cargo Cult Security | Mar 20 2013

Guest Blog by Rodrigo Branco: PAX_REFCOUNT Documentation | Mar 21 2015

GCC plugins

Better kernels with GCC plugins

History

2005

grsecurity 2.1.0 and kernel vulnerabilities

the “Turing Attack” (was: Sabotaged PaXtest)

2009

The future for grsecurity

2010

Brad Spengler (PaX Team/grsecurity) interview

2011

proactive defense: using read-only memory

2012

Why are the grsecurity patches not included in the Vanilla Kernel?

2013

How The Linux Foundation and Fedora are Addressing Workstation Security

2014

Some Links for Newbies on Grsecurity, and the Big Picture

How GNU/Linux distros deal with offset2lib attack?

Recent isues

locking bug( it may also an issue in upstream)

RPI not booting due to randomize layout plugin